63 8. KrCERTCC Activity Report Korea Internet Security Center - Korea

1. About KrCERTCC

KrCERTCC, also known as KISC, Korea Internet Security Center, serves as the nationwide Internet incident handling and coordination center in Korea, and is responsible for detecting, analyzing and responding all nationwide Internet incidents such as hacking, wormvirus, bot, phishing, and all other various Internet threats. To mitigate the damage from those incidents occurred and to ensure more secure Internet environment, KrCERTCC is seamlessly operating on 247 basis. 2. Internet Incident Statistics and Analysis 2.1. Overview Internet incident reports received by the KrCERTCC are categorized into wormvirus, hacking incident, and bot. Hacking incident has subcategories; spam relay, phishing 1 , intrusion attempt, webpage defacement, and other. The number of malicious code reported to KrCERTCC in 2009 is 10,395, which is 23 increase compared with that of the last year 8,469 in 2008. The number of hacking incident reported to KrCERTCC in 2009 is 21,230, which has 33 increase compared with that of the last year 15,940 in 2008. WormVirus Spam Relay Phishing Host Intrusion + Other Web Defacement Bot Infection 1 Phishing targeting Korean brands is very rare; however, many Korean websites are abused as phishing host targeting foreign brands. 64 However, these figures do not necessarily imply that the damage caused by the malicious code and hacking incident is also increased or decreased. Current trend shows that the attacks are targeting more narrowed scope and specific victim rather than the anonymous majority, and the victims can be vary from individuals to corporations. Therefore, figuring out the overall damage caused by those incidents is getting more difficult, as the attacks are evolving in its aspect and methodology. WormVirus Throughout the year 2009, the number of wormvirus reported to KrCERTCC is 10,395, which is 22.7 increase compared with that of the last year 8,469 in 2008. This is mainly due to the fact that we have seen the increase of the malware such as ONLINEGAMEHACK, which has been distributed for stealing credential information for using in certain online games and takes 10.8 of all reported malwares, followed by AGENT, which has been used for downloading additional malware and takes 10.5, throughout the year 2009. Hacking Incident The total number of reports on hacking incident in year 2009 is 21,230. Among the reports on hacking incident, spam relay 10,148 takes 47.8 and has been increased 56 than that of the year 2008 6,490. Internet incidents reported to KrCERTCC in 2009 The number of Phishing hosts 988 is decreased compared with that of the last year 1,163. The number of webpage defacement is 4,320 and others 65 3,031. The number of intrusion attempt 2,743 is decreased compared with that of the last year 3,175. The number of Phishing and Intrusion Attempt has been decreased. On the other hand, the number of traditional incidents such as Spam Relay and Web Defacement has been increased, takes quite a portion in the entire number of incidents, taking over a half together. Efforts to reduce malware embedded websites KrCERTCC operates a malware embedded website detection and response system, so-called MCFinder malicious code finder, which enables to detect and manage malware embedded websites. This detection system crawls and hunts for more than 180,000 websites in Korea that potentially embedded with a malware, and links to a malware in web pages. The system has a pattern database for detection to determine whether the website is embedded with a malware andor its link, and the database is continuously updated. Often a malware in a website inserted by a hacker spreads through Internet to users who connect to. It then penetrates to users’ PCs without cognitive indication, to be abused as a Zombie or for stealing the personal data. Financial gain is often or mostly an objective for these incidents these days and this trend is rising than any moment before. This trend can be seen since many of the abused systems are eventually used as or leaded to a phishing or identity theft. To mitigate this trend, KrCERTCC is putting an enormous effort by monitoring and handling the malware embedded websites while taking down those sites, using the MCFinder system. The number of detected malware embedded websites in year 2009 is 7,352, which is 18 decrease compared with that 8,978 of the year 2008. We categorized them by business sectors as shown below. 66 Most of the web server detected in the system is Microsoft IIS web server, which takes 34.3, Apache takes 24.5, and others 41.3, as shown below. Efforts to reduce bot infection Bot has been one of the biggest threats for recent years and detected continuously that the domestic servers are exploited as bot CC servers. It seems that domestic servers are continuously targeted because of well-sorted infrastructure in Korea, since Bot CC servers characteristically prefer faster network. KrCERTCC is pouring a great effort to reduce the domestic bot infection rate, by monitoring and applying sinkhole method to the bot CC servers, with the cooperation from ISPs in Korea. Domestic bot infection rate has marked highest as 24.1 in January 2005, which gradually decreased month by month, and the monthly average rate of 67 2008 was 8.1, which is decreased to 1.0 in 2009 2 . The graph of the domestic bot infection rate in 2009, shown below, is very steady, and average is much lower than that of the year 2008. Monthly domestic bot infection rate in 2009

3. Events organized co-organized